3 Purpose and Intent This report aims to enhance decision makers appreciation of the regulatory and social impacts of data analytics and Big Data by exposing some surprising strengths of data privacy law as well as shortcomings in standard privacy principles. We set out a fresh compact that innovative digital companies can strike with their communities to respect the incredible and privileged insights that Big Data provides. This report offers insights into three of Constellation s primary business research themes, Data to Decisions, Matrix Commerce and the Next-Generation Customer Experience. Executive Summary Big Data concerns the extraction of knowledge and insights from the vast underground rivers of unstructured data that course unseen through cyberspace. It represents one of the biggest challenges to privacy and data protection society has yet seen. Never before has so much personal information been available so freely to so many. Personally Identifiable Information (PII) is the lifeblood of most digital enterprises today. Many social media business models are fueled by a generally one-sided bargain for PII, and the fairness of this value exchange is currently a hot topic. Data analytics and data mining are able to pull PII almost out of thin air. Collectively, digital businesses may have gone too far in their enthusiasm for Big Data, sacrificing the trust of their users for short-term commercial gain. Big Data promises vast benefits for a great many stakeholders but the benefits are jeopardized by the excesses of a few. Some cavalier online businesses are propelled by a naive assumption that data in the public domain is up for grabs;; they err on the side of abandon. Many think the law has not kept pace with technology, but technologists often underestimate the strength of conventional data protection laws and regulations. The extraction of PII from raw data may be interpreted as a collection and as such is subject to longstanding data protection statutes. On the other hand, orthodox privacy policies and freeze-frame user agreements do not cater for the way PII can be conjured tomorrow from raw data collected today. It is unfortunate that privacy compliance efforts so often give the impression of being preoccupied with unwieldy policy documents and simplistic compulsory notices about cookies. Thus, the fit between Big Data and data privacy standards is complex and sometimes surprising. While existing laws are not to be underestimated, Constellation calls for a fresh compact with users that engages them in the far-reaching upside of transforming data to decisions. We call on Big Data businesses to exercise restraint in using powerful analytic tools, to be transparent about their business models, to offer consumers fair value for their data and to innovate in privacy as well as data mining. We call the compact Big Privacy Constellation Research, Inc. All rights reserved. 3

4 Everyone Suffers When Online Crosses the Line Consider Pay-as-You-Drive car insurance, a new product with premiums scaled according to how you drive. By analyzing data from automobile black boxes, the insurance company can tell not only how far the car has gone (so that infrequent drivers can enjoy discounted fees) but can also detect where it has gone, how fast it has been going and so on. Higher risk driving behaviors attract extra levies or other forms of disincentive. GPS signals could be used to inform these services, but explicit vehicle tracking arouses privacy fears. So some Pay-as-You-Drive systems promise not to use GPS, and instead draw only on more innocuous speed and time measurements. Yet, the privacy picture is not so simple. Recent research at the University of Denver has shown that when combined with map data, speed and time can be used to infer the location of a car at any time, just as precisely as GPS coordinates. Dr. Rinku Dewri and his colleagues write that because of this, customer privacy expectations in non-tracking telematics applications need to be reset and new policies need to be implemented to inform customers of possible risks. 1 Constellation does not allege that insurance companies are exploiting automobile black box data in this way, but the temptations of Big Data prove time and time again to be irresistible. If time and speed data can be accessed by third parties and linked to maps or other data sets to extract insights about drivers, it may only be a matter of time before this routinely happens. When businesses go too far with advanced data analytics and leave users feeling violated or betrayed, then everyone suffers. Disillusioned customers don t just abandon the firms that have squandered their trust; they also lose confidence in cyberspace more broadly and withdraw from other new and worthwhile services, like e-government, e-health, digital payments and e-commerce at large. Constellation Chairman and CEO Ray Wang has argued cogently for a correction to the way business is done around Big Data, so customers take back some control: We won t be able to build sustainable digital business models until we agree on some limits to how customer data can be used. A compact must be reached on the balance between privacy and convenience. 2 This research report begins to unpack what such a new compact might look like. First, let s review how Big Data processes and business models convert raw data into Personally Identifiable Information (PII) and expose how this extraction collides with international privacy best practice. The Big Business of Big Data It s not for nothing people call it data mining. The raw material of Big Data namely all the ones and zeroes coursing beneath us in the digital environment is often likened to crude oil, alluding to the enormous riches to be extracted from an undifferentiated matrix. Look at photo data, for instance, and the rapid evolution of tools for monetizing it. These tools range from simple metadata embedded in digital photos which record when, where 2014 Constellation Research, Inc. All rights reserved. 4

5 and with what sort of device they were taken, through to increasingly sophisticated pattern recognition and facial recognition algorithms. Image analysis can extract places and product names from photos and automatically pick out objects. It can identity faces by re-purposing biometric templates that originate from social network users tagging their friends for fun in entirely unrelated images. Image analysis lets social media companies work out what people are doing, when and where, and who they re doing it with, thus revealing personal preferences and relationships, without anyone explicitly liking anything or friending anyone. The ability to mine photo data defines a new digital gold rush. Like petroleum engineering, image analysis is very high tech. There is extraordinary research and development (R&D) going on in face and object recognition. The infomopolies like Facebook and Google (whose fortunes are made on nothing other than information) and digital media companies like Apple have invested enormously in their own R&D and in acquiring start-ups in this space. And, of course, they pay over-the-odds for photo companies like Picasa, Instagram and Snapchat 3 - not merely because photos are fun and tagging them is cool, but because the potential for extracting intelligence from images is unbounded. So more than data mining, Big Data is really about data refining, as suggested by Figure 1, transforming unstructured information into fresh insights, decisions and value. Figure 1. The Metaphor of Data Refining Photo data I M A G E A N A L Y S I S Location from placenames, landmarks Linkages from who took photo, recognised companions Deduced Likes from trend data, recognised objects, emotions Behaviour Patterns from trend data Future Intelligence? Business models for monetizing photo data are still embryonic. Some entrepreneurs are beginning to access photo data from online social networks. For example Facedeals, a proof of concept from advertising invention lab Redpepper, provides automated check-in to retail stores by face recognition; the initial registration process draws on images and other profile information made available by Facebook (with the member s consent) over a public API (see It is not clear if Facedeals accesses the biometric templates, but nothing in Facebook s privacy and data use 2014 Constellation Research, Inc. All rights reserved. 5

6 policies restrains the company from providing or selling the templates. But as we shall see, international privacy regulations do in fact restrict the uses that can be made of the byproducts of Big Data, should they be personal. Facebook has been taken to task for stretching social data analytics beyond what members reasonably expected to occur. 4 We believe more surprises like this await digital businesses in retail, healthcare and other industries. Big Data Cannot Ignore Privacy Law It s often said that technology has outpaced privacy law, yet by and large that's just not the case. Technology has certainly outpaced the intuitions of consumers, who are increasingly alarmed at what Big Data can reveal about them behind their backs. However, data privacy principles set down in 1980 by the Organization of Economic Cooperation and Development (OECD) still work well, despite predating the World Wide Web by decades. Enforcement of privacy laws is gaining momentum everywhere. Outside the U.S., rights-based privacy law has proven effective against many of today's more worrying business practices. Digital entrepreneurs can feel entitled to make any use they like of data that comes their way, but in truth 30-year-old privacy law says otherwise. Information innovators ignore international privacy law at their peril. In this section, we will see why, by reviewing the surprising definition of Personally Identifiable Information, and how good old technology-neutral privacy principles are as relevant as ever. Check the Fine Print in PII! Privacy is personal, as they say, by definition. But it s important to check the technical definition of personal data, because the fine print often surprises. The U.S. General Services Administration (GSA) defines Personally Identifiable Information as information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual (underline added). 5 This means that items of data can constitute PII if other data can be combined to identify the person concerned. And note carefully that the fragments are each regarded as PII rather than the whole data that eventually identifies someone. People often presume that PII stands for Personally Identifying (rather than Identifiable) Information. The difference is subtle but very important. The definition means that some data can and should be classified as PII before it is identified, rather than after, with due consideration to the context of the data flows and the potential for identification. This after all is only prudent; if personal data needs certain safeguards, then it is best they be applied before the data is identified and it s too late. For further practical guidance on classifying and treating PII, please see Is it Personal Information or Not? Embrace the Uncertainty, Constellation Research, Inc. All rights reserved. 6

7 Constellation Research Panel Valuable comments on this research were received from the following people (all responsibility for the text remains with Constellation): Professor Graham Greenleaf, Faculty of Law, University of New South Wales. Associate Professor David Lindsay, Faculty of Law, Monash University. Dr. Alana Maurushat, Senior Lecturer, Faculty of Law, University of New South Wales. Rich Toohey, President of Rewards Member Experience, Marriott. Disclosures Your trust is important to us, and as such, we believe in being open and transparent about our financial relationships. With our clients permission, we publish their names on our website Constellation Research, Inc. All rights reserved. 14

8 Analyst Bio: Steve Wilson Steve Wilson is Vice President and Principal Analyst at Constellation Research, Inc. He focuses on digital identity, privacy and cyber security across the business research themes of Consumerization of IT and Next-Generation Customer Experience. Experience Steve has worked in ICT innovation, research, development and analysis for over 25 years. He holds double degrees in physics and electrical engineering. His career began in R&D and medical software engineering in Australia and the U.S. He moved into cyber security in 1995 and specialized in identity management, holding R&D leadership and Principal Consultant roles with Security Domain (later Baltimore Technologies), KPMG, PwC and SecureNet. In 2004, Steve founded Lockstep Consulting to concentrate on identity and privacy research and analysis. He is personally responsible for numerous breakthroughs in difficult areas of identity infrastructure and governance, including national scale authentication, PKI, smartcards, digital credentials, fraud control and privacy engineering. He has provided advice on identity frameworks to the governments of Australia, Hong Kong, New Zealand, Malaysia, Singapore, Kazakhstan and Macau. Influence Steve has been involved in security public policy and industry development for over 16 years. He was a member of the Australian Law Reform Commission s Developing Technology committee ( ), the Federal Privacy Commissioner s PKI Reference Group (2000) and the National E-Authentication Council ( ). He contributed to the American Bar Association PKI Assessment Guidelines ( ) and was co-author of the APEC Electronic Authentication guidelines ( ). Steve chaired the Certification Forum of Australasia over and the OASIS PKI Committee from 2007 to He is a current member of the International Association of Privacy Professionals, the Australian Government Gatekeeper PKI Advisory Committee, and the Privacy Coordination Committee of the National Strategy for Trusted Identities in Cyberspace (NSTIC). Patents System and method for anonymously indexing electronic record systems US 8,347,101; AU Authenticating electronic financial transactions US 8,286,865; US 8,608,065; NZ Verified anonymous code signing AU Decoupling identity in the Internet of Things (pending). Blog: Constellation Research, Inc. All rights reserved. 16

9 About Constellation Research Constellation Research is a research and advisory firm that helps organizations navigate the challenges of digital disruption through business models transformation and the judicious application of disruptive technologies. This renowned group of experienced analysts, led by R Ray Wang, focuses on business-themed research, including Digital Marketing Transformation; Future of Work; Next-Generation Customer Experience; Data to Decisions; Matrix Commerce; Technology Optimization and Innovation; and Consumerization of IT and the New C-Suite. Unlike the legacy analyst firms, Constellation Research is disrupting how research is accessed, what topics are covered and how clients can partner with a research firm to achieve success. Over 225 clients have joined from an ecosystem of buyers, partners, solution providers, C-suite, boards of directors and vendor clients. Our mission is to identify, validate and share insights with our clients. Most of our clients share a common trait - the passion for learning, innovating and delivering impactful results. Organizational Highlights Founded and headquartered in the San Francisco Bay Area, United States, in Named Institute of Industry Analyst Relations (IIAR) New Analyst Firm of the Year in Serving over 225 buy-side and sell-side clients around the globe. Experienced research team with an average of 21 years of practitioner, management and industry experience. Creators of the Constellation Supernova Awards the industry s first and largest recognition of innovators, pioneers and teams who apply emerging and disruptive technology to drive business value. Organizers of the Constellation Connected Enterprise an innovation summit and best practices knowledge-sharing retreat for business leaders. Founders of Constellation Academy, experiential workshops in applying disruptive technology to disruptive business models. Website: Contact: Sales: Unauthorized reproduction or distribution in whole or in part in any form, including photocopying, faxing, image scanning, ing, digitization, or making available for electronic downloading is prohibited without written permission from Constellation Research, Inc. Prior to photocopying, scanning, and digitizing items for internal or personal use, please contact Constellation Research, Inc. All trade names, trademarks, or registered trademarks are trade names, trademarks, or registered trademarks of their respective owners. Information contained in this publication has been compiled from sources believed to be reliable, but the accuracy of this information is not guaranteed. Constellation Research, Inc. disclaims all warranties and conditions with regard to the content, express or implied, including warranties of merchantability and fitness for a particular purpose, nor assumes any legal liability for the accuracy, completeness, or usefulness of any information contained herein. Any reference to a commercial product, process, or service does not imply or constitute an endorsement of the same by Constellation Research, Inc. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold or distributed with the understanding that Constellation Research, Inc. is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. Constellation Research, Inc. assumes no liability for how this information is used or applied nor makes any express warranties on outcomes. (Modified from the Declaration of Principles jointly adopted by the American Bar Association and a Committee of Publishers and Associations.) San Francisco Andalucia Austin Belfast Boston Chicago Colorado Springs Denver London Los Angeles Monta Vista New York Pune Sacramento San Diego Santa Monica Sedona Sydney Tokyo Toronto Washington D.C Constellation Research, Inc. All rights reserved. 17

Case Study: Pioneer Metal Finishing System Consolidation in the Cloud Enables Rapid Growth Fast-Growing Metal Finishing Company Puts HR System in the Cloud By Holger Mueller Vice President and Principal

Report: Best Practices A Framework to Humanize the Internet of Things through Verbs Moving from Hype to Commercialization Using an Innovative Framework By Richie Etwaru Orbits Contributor Content Editor:

Case Study: Chiquita Brands and McKee Foods Five Years in the Cloud with Workday Best Practices from Two Early Cloud HCM Pioneers: Chiquita Brands and McKee Foods By R Ray Wang Principal Analyst and Chairman

Privacy Statement Kelly Services, Inc. and its subsidiaries ("Kelly Services" or Kelly ) respect your privacy and we acknowledge that you have certain rights related to any personal information we collect

Company Overview The Enterprise IT Cloud Company The modern enterprise relies on IT to deliver innovative business solutions and at the same time, ensure existing IT systems and services perform at the

Information Not Collected and Retained For the purposes of this statement "personally identifiable information" means any information relating to an identified or identifiable individual who is the subject

www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the

Legal Notices The following describes the policies and practices of StanCorp Financial Group, Inc ( StanCorp Financial ) and its affiliates, vendors, and licensors with regards to the collection and use

To Professionals Who Know Online Marketing Is Important But Can t Seem To Get Started: Date: 23rd Sep 2009 Powerful search engines like Google, Yahoo! and MSN play a very important role on the internet.

The Business of Social Media Content Copyright 2014 Michael Simonetti BSc BE MTE, &Mine Pty Ltd. Not to be reproduced, re-presented or used in any way without written consent from the author. Game On Startups,

Concept report: The Australian Personal Loans Market - Targeting the high value personal loan customer www.rfintelligence.com About RFi Group RFi Group is a global intelligence and media provider focusing

I D C A N A L Y S T C O N N E C T I O N Dan Vesset Program Vice President, Business Analytics and Big Data Self-Service Big Data Analytics for Line of Business March 2015 Big data, in all its forms, is

United States of America Federal Trade Commission The Social Impact of Open Data Remarks of Maureen K. Ohlhausen 1 Commissioner, Federal Trade Commission Center for Data Innovation The Social Impact of

www.pwc.co.uk/financial-services There s no such thing as a free lunch Why fees are the future for current accounts January 2015 Introduction PwC s research into what customers think about their bank suggests

Big Data Integration Challenges and Opportunities in Accessing and Using Today s Information Research Report Executive Summary Sponsored by Copyright Ventana Research 2013 Do Not Redistribute Without Permission

E-commerce advice for business More and more Australian businesses are developing an online presence, either to complement their bricks and mortar operation or as their main shopfront. Messages from the

e Matters A 6-POINT FRAMEWORK BUSINESS TECHNOLOGY GROUP Companies considering adopting an electronic signature process may be overwhelmed by the legal, regulatory, litigation, technological and other practical

Navigating the cloud of Big Data hype, lessons to live by Andy Beale How much will be spent on Big Data? How much are forecasters saying will be spent on Big Data? $51 billion by 2017 Source: Wikibon 2014

AlienVault for Regulatory Compliance Overview of Regulatory Compliance in Information Security As computers and networks have become more important in society they and the information they contain have

PocketSuite Terms of Service Last modified: November 2015 These Terms of Service (these Terms ) constitute the agreement (this Agreement ) between PocketSuite, Inc. (the Company ) and the User (as defined

How Does Big Data Change Your Way of Managing Information? A Best-Practices Guide for Data Managers By Erian Laperi, Director Enterprise Data Management and Business Enablement at AT&T How Does Big Data

96% of Americans know this logo! But the feelings or impression the bulls-eye evokes is part of branding. Target has carefully crafted their brand as fun, design-oriented, innovative, value-driven, and

NLRB Holds That Employees Have the Right to Use Company Email Systems for Union Organizing Union and Non-Union Employers Are All Affected By Steven M. Swirsky December 12, 2014 In its Purple Communications,

Business Trends in Location Analytics Exploring the Impact of Geographic Context On Business Processes Research Report Executive Summary Copyright Ventana Research 2013 Do Not Redistribute Without Permission

Twitter: #VRBTIS and @ventanaresearch 1 Next Generation Analytics and Big Data for Business Finding Insight and Information that Matters and is Easily Understood Tony Cosentino VP & Research Director Marcus

A BUSINESS CASE FOR BEHAVIORAL ANALYTICS White Paper Introduction What is Behavioral 1 In a world in which web applications and websites are becoming ever more diverse and complicated, running them effectively

Companion for SharePoint Topic Analyst Companion for SharePoint All Your Information Enterprise-ready Enrich SharePoint, your central place for document and workflow management, not only with an improved

Take Control of your future with this residual income, home based business. Who is your online niche business? We re in the business of making your life better by helping you earn a part time income working

The APPNATION stage has been home to some of the world's leading app visionaries and emerging players who are defining the business of apps in today's rapidly growing market. The APPNATION NYC + TV 3.0

Sponsorship Proposal Colorado Small Business Event October 13th & 14th, 2015 Denver, Colorado The average annual revenue of a small business is $3.6 million. The average annual revenue of a small business

ENTERPRISE ASSET MANAGEMENT (EAM) The Devil is in the Details CASE STUDY 1 EXECUTIVE SUMMARY Enterprise Asset Management (EAM) is a strategy to provide an optimal approach for the management of the physical

THE ETHICS OF SOCIAL MEDIA Successfully Navigating the Digital Terrain presented by NAVIGATING THE SOCIAL MEDIA TERRAIN Continually evolving Great opportunities Risks! WHY SHOULD WE CARE? Can t we just

WHITE PAPER Creating your Intranet Checklist About this guide It can be overwhelming to run and manage an Intranet project. As a provider of Intranet software and services to small, medium and large organizations,

White Paper: Leveraging Web Intelligence to Enhance Cyber Security October 2013 Inside: New context on Web Intelligence The need for external data in enterprise context Making better use of web intelligence

Statement for the Record On Behalf of the AMERICAN BANKERS ASSOCIATION Before the Antitrust Tax Force Committee on the Judiciary United States House of Representatives May 15, 2008 Statement for the Record

Executive recruiting in the age of social media Will social media sites enable companies to one day do to the executive search industry what Amazon did to booksellers and Apple did to the music business?

Leading the Evolution WHITE PAPER BUSINESS RULES AND GAP ANALYSIS Discovery and management of business rules avoids business disruptions WHITE PAPER BUSINESS RULES AND GAP ANALYSIS Business Situation More

The Surplus Line Association Of California CA The Story of Non-admitted Insurance in California The Story of Non-Admitted Insurance in California It is vital an innovative and imaginative insurance marketplace